quasar | 28eb5915b45f87b4ff342dbfb0122757217e79277770e9fd06a6342009c56829

Resubmissions

28-12-2024 12:38

241228-pt81aaylhk 10

28-12-2024 12:25

241228-plre9sxqgx 10

Analysis

max time kernel
593s
max time network
603s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup (41).exe
Size

3.8MB
MD5

f6a94c99deff44303f682dd2bb7d3d12
SHA1

f2c6fa65a69a67a3e2120cfbb61511a495c18688
SHA256

28eb5915b45f87b4ff342dbfb0122757217e79277770e9fd06a6342009c56829
SHA512

16edb4c4ef94a0e19088c69a3150fc2f0e158e707eb8a4a085d7e95eecde2fbdc4bdd1afbb3fc0b13d179d2a4e60f60de14a4224a998dfb6d944dea6441ec3ec
SSDEEP

49152:ZVAbwA+j3AtriaXicL8D8nqdZqb8oM28CBHmLOIt/ZwDAakqbMz3Lnn7cAWFJJL:PA+jxJIfMKmLOIt/yDh7MbLnnXWFv

Score

10^/10

quasar office04 discovery spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

87f91b59-5c0a-4fdb-a6da-c0d91c465167

Attributes

encryption_key
2BAF13F1E7F5D90A54B973408B090D5AE355EEAE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
EpicGames
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3528-614-0x00000000007E0000-0x0000000000B04000-memory.dmp	family_quasar
behavioral1/files/0x001e00000002aac8-617.dat	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
6056	setup.exe
5936	setup.exe
5208	setup.exe
5244	Client.exe

Loads dropped DLL 3 IoCs

pid	Process
6056	setup.exe
5936	setup.exe
5208	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1216	5936	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup (41).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\crabby rat.zip:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
648	schtasks.exe
3204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5936	setup.exe
5936	setup.exe
5936	setup.exe
5936	setup.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	3528	real.exe
Token: SeDebugPrivilege	5244	Client.exe
Token: SeDebugPrivilege	5704	real.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
6056	setup.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
5244	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 6056	4620	OperaGXSetup (41).exe	77
PID 4620 wrote to memory of 6056	4620	OperaGXSetup (41).exe	77
PID 4620 wrote to memory of 6056	4620	OperaGXSetup (41).exe	77
PID 6056 wrote to memory of 5936	6056	setup.exe	78
PID 6056 wrote to memory of 5936	6056	setup.exe	78
PID 6056 wrote to memory of 5936	6056	setup.exe	78
PID 6056 wrote to memory of 5208	6056	setup.exe	79
PID 6056 wrote to memory of 5208	6056	setup.exe	79
PID 6056 wrote to memory of 5208	6056	setup.exe	79
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 5912 wrote to memory of 1392	5912	firefox.exe	86
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87
PID 1392 wrote to memory of 4132	1392	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (41).exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup (41).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\7zSC02F77F7\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zSC02F77F7\setup.exe --server-tracking-blob=MDU5ZDYzYzYxOGQ2OWY3ZGY2N2RiOTkzYWY5MDk4NjE5YjM4MWJmMjJhNTAzZjJjYmY0YzdiYTcyYjdmOWIzNjp7ImNvdW50cnkiOiJVUyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1Mb290bGFicyZ1dG1fbWVkaXVtPXBhJnV0bV9jYW1wYWlnbj1Mb290bGFic19VUyZ1dG1fY29udGVudD0xMDE0OTAxJnV0bV9pZD0zNDY0Njg3NTgxODQyODUwNjImaHR0cF9yZWZlcnJlcj1odHRwcyUzQSUyRiUyRmxvb3RkZXN0Lm9yZyUyRiZ1dG1fc2l0ZT1vcGVyYV9jb20mdXRtX2xhc3RwYWdlPWxvb3RkZXN0Lm9yZyUyRiZkbF90b2tlbj02NzI4OTgxNCIsInRpbWVzdGFtcCI6IjE3MzUyODkzMjkuMzQyNiIsInVzZXJhZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMzEuMC4wLjAgU2FmYXJpLzUzNy4zNiBFZGcvMTMxLjAuMC4wIiwidXRtIjp7ImNhbXBhaWduIjoiTG9vdGxhYnNfVVMiLCJjb250ZW50IjoiMTAxNDkwMSIsImlkIjoiMzQ2NDY4NzU4MTg0Mjg1MDYyIiwibGFzdHBhZ2UiOiJsb290ZGVzdC5vcmcvIiwibWVkaXVtIjoicGEiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiTG9vdGxhYnMifSwidXVpZCI6Ijk2YTc2ZGNiLTQ2ZDAtNGMwYS05ZWUwLTE5ZjMzOTUxZDZlZiJ9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\7zSC02F77F7\setup.exe
    C:\Users\Admin\AppData\Local\Temp\7zSC02F77F7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=115.0.5322.124 --initial-client-data=0x338,0x33c,0x340,0x318,0x344,0x7435ed4c,0x7435ed58,0x7435ed64
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 876
      4⤵
      Program crash
      PID:1216
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5936 -ip 5936
1⤵
PID:3372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5912
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1828 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61f7abf6-67ef-4f3e-b69c-5853d95ce5d2} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" gpu
    3⤵
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf8ad33e-fd7f-4f29-8de1-181ab5444f3e} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" socket
    3⤵
    PID:536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3044 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 1484 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abfd9baa-a359-4b85-b864-616d2d5ca281} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:2508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3540 -childID 2 -isForBrowser -prefsHandle 3596 -prefMapHandle 2588 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {929e0b98-1721-43b3-bf79-283c45926aee} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5000 -prefMapHandle 4996 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b9666c5-23d5-42f4-a588-45b0f0069bda} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" utility
    3⤵
    - Checks processor information in registry
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 4864 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f29c15a-9183-4437-a7d1-1c5934f7d397} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:1420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {154d1870-42bd-4776-9db8-38915698455f} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:5332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5824 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fbeaf7a-ae72-4bc1-b008-f264217fbc3e} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:5408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4636 -childID 6 -isForBrowser -prefsHandle 6100 -prefMapHandle 5252 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {def9ecd6-98f1-4171-b8c7-f9e9e6376b77} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6364 -childID 7 -isForBrowser -prefsHandle 6324 -prefMapHandle 6360 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1236 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9581b799-1df6-4bc2-b520-123c19f2acb7} 1392 "\\.\pipe\gecko-crash-server-pipe.1392" tab
    3⤵
    PID:2220

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\0cf95ae2967c45798a081f735efcdf4e /t 5184 /p 6056
1⤵
PID:5380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2716

C:\Users\Admin\Downloads\crabby rat\crabby rat\real.exe
"C:\Users\Admin\Downloads\crabby rat\crabby rat\real.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "EpicGames" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:648
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5244
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "EpicGames" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3204

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3516

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:2884

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3312

C:\Users\Admin\Downloads\crabby rat\crabby rat\real.exe
"C:\Users\Admin\Downloads\crabby rat\crabby rat\real.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\real.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
e7d55a3981f41dc0b8561f0a8cb6f6e0

SHA1
c3255a3e92286e8dca07273d3a58db6943bcba6b

SHA256
f71e1d8437698d643fabe92e6a1fd63d027c83534cbc8e3cfeb6cf352265b0f5

SHA512
6724b12cc4f2c30e67a3c033f8a8d2cd9a8c769ec9579dde679530ceadf46dce117c03bc76f12d0302f757223a93e42125e6b5a22b499776dab506e1e5e04be2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\481f85ba-7ac1-4f0d-a37c-640e529e1988.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC02F77F7\setup.exe

Filesize
7.3MB

MD5
a147d284d9191cd8783a8055a21bfcce

SHA1
6f87e8302e28192475a3c362ec1d7597427b016c

SHA256
f7b4074a646e742f61d2ecf4b1e78e56216748a35670e23e8ef585a8008aa761

SHA512
37d4de184b8b41a41324258ee4e5de5429228bfc89d1c9ca11a786382f11741e4741d11bc392351ee0620cb08151d710c04d92ed5e42ee165c4463d5897c5984

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2412281225399626056.dll

Filesize
6.7MB

MD5
f526bf02296cae65098cd1a01dd9ce60

SHA1
58784200e942c798ccbe2e9030826703f3a0f985

SHA256
d122a48b7642d0b49b0c48f3d42d43aa18cd5c60d6497d8ce42b567e4d580b33

SHA512
6eee16d9bbe45d82473f302f513be8bcc84dd02d546b116f71a319b8f832df6d90c8e3469305fe18e2059842f02ea74f4ddf19dab8e4fe816eaf105fd87693df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
9b06bea4fa99ee84cd34da32fb77f861

SHA1
4aa92748ac950fc78c752ab9b7ea0de4f73441a6

SHA256
417cc0230ff588b56b47ea1d218eb300cbb3e4aaf30948f07183190ad8940884

SHA512
c391e8ec5690000e8234f86e7aa349c48ccd66c6637f1b142628c96e1cbda64deb79285dd0c52cc345cf7e5f3d9fdf97d745b94ba84547551b6044c08c4d1fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
b503ceafc12f5b8622f3f9fcc6d37fb1

SHA1
e4a78f3ebc96c5173ebcad9cebe00c3e5a915c5f

SHA256
223831eada25fa507ceb8f7ade433de737b8d65141ac9a450b9c671360cbc225

SHA512
28272e03c6e6f1b3fe40f738f24cc73099bda29526cc45afa45bd86e1f04405288c61acc49e2333454a3007976e1e36111def9f72afc641ba58ae8cf67f86f00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin

Filesize
6KB

MD5
02e6739c8353c6384b771f6b46501624

SHA1
6d2b62718ea6243f36fe2041d01710fbb2ff7009

SHA256
08c8b197fe8136149846f1c0d0bfe503ed139838b11f3bbfe8fe6260d2dc4c3b

SHA512
bb2c71e61acb77b1dc6ee1344ce3367db68a82a6c39e47d48232cf49053b3e38674641432e2d089107b6240d2affec54d86cac52fc34e774c02d6a3a12256809

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin

Filesize
8KB

MD5
1d1f80d01238bab06537c1dd6bdf435d

SHA1
1d16047aec4af6a21c234d43ca3838872be07a1e

SHA256
d3c4999ba624279e2c126526c5d604a07777da5445d83bc49d4f95959dbd6014

SHA512
93d14ae1ae18229ef2289b0e9e81b1d6e094092a5fada70ee252073b8a90c8477303eaaa1ad58eaa94cb5cef62d0b172fef41541ac0a171989e19d6f95a0c5e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\bookmarkbackups\bookmarks-2024-12-28_11_zrihSVbctqiR1GbiTiRGTg==.jsonlz4

Filesize
1004B

MD5
c03c56b2eb1e6e75443868b97725feee

SHA1
74fd17c3af18ab01ea6cf4347180824fc6d10909

SHA256
55c073e7bd619821be5d7d0292b13a3579ff11aeea4dab936f59505b539e2cda

SHA512
6963108ab0a50031b1c9cb43f0a858168df8afc65150d28f356ef2414f186c7de1b14a030ea02f8dbedd5b7208ad8c1f2edbe1ba4056ce2a7f31a628487b9f62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3fd4a64ff228398ccba29f01cb428feb

SHA1
471c97045fb35a3e92f3d453e879ff61c148c8ac

SHA256
d8eb195cc2ea0c4f2860a9e6daf21de0eb7c1d1d81b007f96413330613fed95e

SHA512
11f9709d3872a0acc04282371b7792cad33537dd0d4cc54c22c5b62f2adea33cbd9492df90c83e03728d9982408c8b6c2a0fb86a5639d33c27ee0d401912229f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2c4650db6ef08cf05db07e2f922d8e61

SHA1
1a50dfb659cf503fafc41e2fe89c5bddee050889

SHA256
a5c306d13195a824c2f88971d7e92e44b9f5f7862cca4ed8aac9cab08141d3b2

SHA512
d8a8e6285f1381215c1c47f08c22afb127cc3f77545ac798ffb8e0b8a25018f5668341dd82c5db5f023ba108682b6059afa03e6bc132bfdd16074982d89825f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
d727025357456997b7ded21300eee69f

SHA1
da0ec448003cd65f5f67362583b6412d45ae2622

SHA256
58f2e02db3bf48e6ef06b0ed553e26e6e0476028d390f79597cb4e66e9076109

SHA512
159c67025b9a66bf4aceb14b84f9811f17eeb8fbe613bc540807dafa808b126c5c41d62c030bd0232e25e8db26b2a95c4b10004b47e0712a9dd0bbf0ecadc89a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\01e8f028-b5b7-4bad-bd98-e9f37260cb5c

Filesize
982B

MD5
b23816c259b093314dc70292aa83a0e2

SHA1
e4069bb2464ae1dc9f2edeee59c7120958ff8e3b

SHA256
0362cad6f93dbfea5c988fbe112a2c49e7040b52e7c14621f32f8fc40d8de533

SHA512
f19475492f483372b82a7949096ee46bd5908f9747bc0e61f255e54afea2ec49af8346765d2ae6474fd8a631bc16857122063519258fc7283d22f8f961140d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\f08ba8de-6dd2-45fc-ae9d-9731ee2da2d0

Filesize
671B

MD5
2b3bad2f30af8dea91c5952421ca2d43

SHA1
5a9a4cfcd3c50a419a449e0a5f5772898b478bbf

SHA256
fadceff632fd708b6ff4ced58b4f9d8bcaef216e54b0534ee00aae3df82496da

SHA512
d131b9825c5cac7814f341d37b8b3040d7669f5c8e52489076467ecb91bb9705bbf3cad0c61ad065a63bf59825bf2dfd42e9c3078b0e2045b7628165deb1865e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\f2ad76e4-7648-449c-8819-c330375db72e

Filesize
24KB

MD5
2d96a985d72ea7bb4ef5ce4c7e4c8929

SHA1
4f92a2cf290243d85179cbabee3e38ea9b59fe3b

SHA256
6370f761e82a5cd1bebbec536a5e73164c4725a2c904bd96c90d04770a3ad425

SHA512
feab57a8d5ea54d1ced9d19f7406228d726756c6aa59e787b273e6a619358da0f894960e03fd4702e1f04bebb9635c87480279696a2616b984f4d1540b9a8b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
10KB

MD5
e36a3cc078b7b928eaa215c9bebf9910

SHA1
e4a75f12236a80ebdf4058151843fb9b793b800c

SHA256
78448a23e526c5643831580d7e3895e609101e087672a31f16d01449211ef547

SHA512
3e44d89ca8426ecbef370dcae38387fb21321975c59f7bd4c3ef41da5f92a8abbf91d88938d38d33cc3fc243055222efdb10adb3bbd56bfec20fd6f4d7cb4a63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
11KB

MD5
5d29a6d9e27a535344be6c0b499c8023

SHA1
2d1d95b0a2b85ee864c7b4e9829f331b47745784

SHA256
6b724daf9fd730599ea0017bc1a8531e5de6c24a31d60909ed8fe00ca4959648

SHA512
9f5f252d7be1d6dd6694a031f271af5eb4ce7e85d1809b4ef7f24ea78c91c6ffa927dc03f6f5bd221973e502080ae20a66dc7b4143d9acba26bc80eea7a13ea8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
12KB

MD5
11fbe132b71fde9d64078fb92a4aeb6a

SHA1
e24abe0b6f28e946eca0bbb012a4eaf241ab4074

SHA256
6bf17737a2df75de38d9c92290138074ccf01eff6c580578b48cb87bf9ae81e9

SHA512
b6c2b6a8b1dd637afbcc292a786d219e8518943a05b81b067b9ef360bc9940e015755f605ffcf43b8b23b5a7f4e36d701c531040766b39e2ce000b6be6de5774

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
603caa322eb09319b4a35f14e98d4dc6

SHA1
6df85db0a3fc7fcaaa86f5601a2bc6317bb0c528

SHA256
cfe037336da39fb9be791f8769ec99c45a10544505329c7999223cfe608518ad

SHA512
62e686203dea0f0db045618de1b534495533392ce0548225d7893e0cbe9b84fc5a1e561da0000a85210879afe1f05e27e1e1c3f52dd999b20f3a0deef7d78651

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1a61d108b9a2d4920ba58d879a333f5c

SHA1
b2184a589c74f5a59c6d8adcc7e185f3a2044def

SHA256
2b9afecfa6a47b4962b0a806979bf8c7f8c023dcad1f87a6be3344aea23c1995

SHA512
4c27b98e96f9d8331893088343217950674066e93330ea4dc8880b9869e6690f5051b8c618578f799698bcba4c17bc5276ef2cac3efd735236ebbe990b923733

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
7f96287b67b004eb512ad9c940050e71

SHA1
195edd9ac693889b9fb2f65bf8e01a9050637fdb

SHA256
35e1cd66d4a7f532b8b898c9921c385800e8070e282884920035614d00594551

SHA512
10325fc369b1f3d66b0290cd25f4a85e11cc01652c038f1d5458ed8115d7c7405b4943dee6a03f727ffd7d10ae8779dacc63797dc73c5834e1f54b9dcfd6a9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c90d340b0c19db538cb93796c9582e9c

SHA1
6955b939cab7f21223215f6661d3cbfc2f16f789

SHA256
c7efd7ab0421ffd378edbc1231748350710622fcd600ecd5c52e8e221cd94488

SHA512
44fd26e76f4713de54e6c997cacf6d4cb4bd29496616f8cc3c8050e373e51541e097ce1ad97472941e2f8430709009a9369c5f59de095c2a977cd493c6b59c41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
be83f42317ebb5a2b5f33f41d4cc7864

SHA1
02d0eedda5d5d48fd00d237cb6621fbe01e203e2

SHA256
0de98fdd239ac0516987cce24cd2eb7efc08d0942d6a9bac4f73b6f0bebcf3c7

SHA512
cb52ea097cba1aada0cf9c6bd87344731296fb3839cf3b798bc70e8f0041b38c75e88d5c7d22dbb8aaf6c35967149a48f4e69563100de5a271ea3ab63019da5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
8cfa948ff43e50fdd797d02d6ce90fe8

SHA1
a807cd59132590d9493a0225c9517a7ea463e361

SHA256
8027fc3ed44e41807687f677839ad0356c98d63686fa790785d74802ce8de46d

SHA512
db366ff6fb4d4d5a0c793df455355b4576eaec89b93f29b83d29570772e1712301f13e44eb5dfbaa60cdcbfc8c80f07a62f0742fe0b082698b2cb89cf91b16eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
e03d1a5b4b25c993f629e034fe0b40cb

SHA1
efcf8b39847e6951082f2a4e5f107d04394b35e0

SHA256
b3470a331e41d16b4730e6a7170c63e08146ea8ed26169224eec9e28ecd7708f

SHA512
1ce0b8a1e31fcd04631198ce582b45547b0e83c4a5a3a108b976e8cccf4d42de84d115d8aebd087a36e5766d429fafe3bce03c3333728fe7ec0ec209c02b3ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
43d8b5e920dfc7a58a8b27df40240514

SHA1
be2447441d74a1942866558fe4293c7aa86b9b04

SHA256
e63c0c180ca3d780ddc90291529ca3595e3027b85379999cdc88aa86b130ecf1

SHA512
d60d5451178387830635994f31e7b14a427ed97e1eda47a06218537e185748310fc075be3dd26b83bf8c56a51ed392ada45f1eceb45bffc8dd3b21b4456160d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
592KB

MD5
85674cf145b8408f2107e9382af2791a

SHA1
c3b7fa940b2deb54abfffdede58438b12f4d45e4

SHA256
a617387d6f709e838e8012908b361d350149f82937420c67726276f2de463204

SHA512
02cc8214702c563370324091d6dd073ecbdcc21fd7745cdbb3f114f640bf24d205c640b825337eb0fc4da4498d84b89ef69bccf00034941190eb40f0f290cefc

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
aed6f7bc9be74a6ad052e6faec24120f

SHA1
fed93da2655ade320e3053302dffcd504b14a419

SHA256
e0d888547ef244ecca98f45c9f9c0b380f68960e7930bb5ff535897856cdcc04

SHA512
538cf284d8ff6c00478f8cf31b41dfcf2464364c2873bdf41c166c3c51392870a0fc3737206fcb993edd3a155311b7974b465ac18c848a0b45303367fb0df289

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
3ddb07a1673d865ed10b90d14ddd3b01

SHA1
e3cdbf4894075b339e6b231dd4058bf1b6b22689

SHA256
6f009d20cfd55df34c93534e45955198100615fa962ae29f0ada0e6210f749b0

SHA512
1c8fd89b1cb5bf1b7f21f1da758b4572c635b4efe3b289135204d389b446af004150b720aecb5e5e16767b7d741c0676b87855a64973611f9720174443558d06

Download Submit
C:\Users\Admin\Downloads\crabby rat.C3w738J3.zip.part

Filesize
1.2MB

MD5
de973bd6c3a4a2ca530c8e72dc5597e2

SHA1
751088e559b6385c9d697f45e5775f2af67d88ae

SHA256
c30dcff9cfb7602c804fb24ffe9fd5356fd29e8907b3ea839dd898fc60e5f9af

SHA512
9b3a6673691d1716f42f86782d0fe12b7d80f3e51bbd095650d25c09552ccebb436deec965dba896418b83f741fa7c95d5353914f3ff07b0930db5c58af9dcf0

Download Submit
memory/3528-614-0x00000000007E0000-0x0000000000B04000-memory.dmp

Filesize
3.1MB

Download
memory/5244-625-0x000000001C4E0000-0x000000001CA08000-memory.dmp

Filesize
5.2MB

Download
memory/5244-621-0x000000001BCF0000-0x000000001BDA2000-memory.dmp

Filesize
712KB

Download
memory/5244-620-0x000000001BBE0000-0x000000001BC30000-memory.dmp

Filesize
320KB

Download